Rowland penny rpenny at samba.org
Fri Jun 18 15:26:50 UTC 2021

On 18/06/2021 15:38, Andrew Walker wrote:
> On Fri, Jun 18, 2021 at 8:25 AM Rowland penny via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>     On 18/06/2021 13:08, Andrew Walker via samba wrote:
>     >>       idmap config * : range = 3000-7999
>     >>       idmap config CUSTOMER : backend = rid
>     >>       idmap config CUSTOMER : range = 10000-999999
>     >>
>     > Won't the idmap setting changes change IDs assigned for AD
>     users? This
>     > change can potentially require re-doing permissions on-disk once
>     you've
>     > made it. You might also want to keep a backup of your
>     winbindd_idmap.tdb
>     > file. I'm not saying it's a bad idea, but it's something you
>     will need to
>     > evaluate and keep in mind while making the changes (and do them in a
>     > maintenance window :))
>     Unfortunately, yes it will, but it is an artefact of not correctly
>     setting the 'idmap config' lines in the first place. The OP could
>     find
>     out what ID's the users and groups are using now and then use the
>     'ad'
>     backend and populate the rfc2307 attributes with the ID's
>     I do wish people would read our documentation before setting up a
>     Unix
>     domain member, it is easier to 'fix' something before it goes into
>     production.
>     Rowland
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>     <https://lists.samba.org/mailman/options/samba>
> Bastian, the following is not comprehensive, you should definitely 
> read / understand relevant documentation and manpages. Winbindd idmap 
> backends control how Windows SIDs are converted into Unix user and 
> group IDs. Different idmap backends have different strategies for 
> dealing with SIDs. Take, for example, the SID for DOMAIN\Administrator 
> S-1-5-21-<domain>-500.
> Your original smb.conf lacked an explicit idmap configuration for the 
> domain to which you are joined. This means that the configuration for 
> the default domain (idmap config * : range = 10000-40000) is used. In 
> this case, contents of winbindd_idmap.tdb will be checked for an 
> S-1-5-21-<domain>-500 entry, and if it doesn't exist a new entry will 
> be generated based on the current high-water-mark in the tdb file. 
> These get allocated on a first-come first-serve basis.
> Rowland's suggestion, which is a very sensible one, is to use 
> idmap_rid. The idmapping strategy here is to take the RID (the last 
> component of the SID) and add it to the configured low-range for the 
> backend. So in this case we know that DOMAIN\Administrator gets 10500.

Now you know that mapping, forget it, never use Administrator on a Unix 
domain member, always map Administrator to root (via a usermap) on a 
Unix domain member.

> Having a deterministic way of mapping SIDs to IDs is a very good 
> thing. Think about what will happen if you decide to add a second 
> samba server to the AD domain and rsync data between them. If you are 
> using idmap_rid with the same configuration options, then the 
> permissions on the files on the receiving side will behave identically 
> to what is configured on the source server. If you have a 
> non-deterministic strategy, then the situation is kind of hopeless.

Or to put it another way, select which winbind to use, then use it on 
all Unix domain members.

> Note that this does not mean that idmap_rid is always the correct 
> choice. When you are deploying a samba server in an existing AD 
> environment, the correct course of action is to figure out the 
> idmapping strategy currently in use in the domain. Often the server 
> you are deploying will not be the first Linux or FreeBSD server joined 
> to the AD domain. Many domains use RFC2307 attributes, and in this 
> case use idmap_ad. If there are samba servers already on-site, you 
> should base idmap configuration on what is deployed and in-use. There 
> are some caveats regarding SSSD that I won't get into.

I will, if you use Samba >= 4.8.0 and require shares, do not use sssd. 
If you just want authentication, you can use sssd (without Samba), but 
there are problems (sssd doesn't update tickets for instance).

> So, basically, you should bite the bullet and fix things (but think 
> carefully and research what the right fix is).

Try reading the Samba wiki:


Anything that don't understand, please ask, we rely on feedback and 
questions to try and get the wiki understandable.


More information about the samba mailing list